netlib-bl@netlib.bell-labs.com

Netlib now publishes signed MD5 checksums, to provide an extra margin
of security for people downloading netlib files through less trusted
channels. We look forward to a time when code authors sign their
programs as well.

The netlib-bl signature asserts only that the distributed files match
the copy on the master disk. The
netlib editors
attempt to exclude junk and viruses but are not in a position to absolutely
rule out the possibility, and rely on end users to study downloaded
material and satisfy themselves that it meets their requirements.

Ordinarily, you'll verify this key using the fingerprint published
in the Netlib News column in the SIAM News.

verifying downloaded files

We plan a tool that will lauch from your Web browser
and have a user interface like WinZip. For now, here are
the manual steps you can use to confirm correct receipt.

Step 1. Get the desired file from a netlib mirror and uncompress.
Step 2. Get the MD5 file from the same netlib directory.
Step 3. Run "pgp MD5" to verify that the checksums
have not been tampered with. For this step, you must have installed
the key block above on your public keyring.
Step 4. Run "md5sum"
with command line arguments being the
file names of the downloaded material.
Step 5. Compare the output with the contents of the MD5 file.

security provisions

This PGP key is adequately secure for its purpose, signing
master copies of netlib files.
The public and secret key rings are stored and used on a computer to
which a number of Bell Labs people potentially have root access.
The point is not to guard the netlib master disk from local users,
but rather to guard against malicious changes during distribution.

background

PGP
is a widely and freely
available
method for sending material that should be confidential or signed,
and is generally regarded as safe and effective when used as directed.
For learning more about the subtle issues involved, see Bruce Schneier,
Applied cryptography : protocols, algorithms, and source code in C,
Wiley, 1996 ISBN 0-471-11709-9.